Best Practices for Virtualizing Active Directory

Breakout Session AP01 Chris Skinner Senior Technical Instructor ,VMware, Inc.
February 25, 2009

Disclaimer
This session may contain product features that are currently under development. This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined.
These features are representative of feature areas under development. Feature commitments are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery.

Objectives and Goals

You can virtualize Active Directory successfully

Its not difficult, mystical or magical

Many companies have successfully deployed AD through virtualization

Agenda
Why should we virtualize Active Directory?

What are the challenges with virtualizing AD?

How does a company successfully migrate?

Why Virtualize?

Why Virtualize Active Directory?

Hardware Consolidation

Combine multiple, single use boxes

Standardization eliminating imaging issues

Reduce product activation issues

Leverage VI 3 Features HA & DRS

Why Virtualize Active Directory?

Testing and Development

Policy testing Schema changes Migration/upgrade testing Domain reconfigurations Deployment scenarios Disaster recovery solutions

Why Virtualize Active Directory?

Security Controls

Limiting physical access Additional administrative controls Separate applications from domain controllers

Challenges to Virtualizing Active Directory

Time synchronization Performance Replicating Active Directory changes High availability of domain controllers Disaster recovery

Time Synchronization
Virtualization Challenges

Time Synchronization Why is it so important?

Active Directory operations are critically time dependent MS Kerberos implementation allows a 5 minute tolerance File Replication Services (FRS) synchronizes scripts, database changes/updates, policies based, in part, on time-stamping

Time Server Hierarchies

Child PDC emulators can sync with any DC in the parent domain Clients sync with any DC in its own domain DCs can sync with PDC emulator in its own domain or any DC in parent

Source: Microsoft Corporation

Time Synchronization Virtualization Issues

No CPU cycles needed none given! Clock drifts can be significant in a relatively short period Idle cycles in a virtual machine is an Active Directory domains worst enemy How do you combat time synchronization issues?
More than a 28 minute drift!

Time SynchronizationOption A Using W32Time

Use Windows Time Service NOT VMware Tools Define an alternative external time source for master time server
1. Modify registry settings on the PDC emulator for the forest root domain:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Change Type REG_SZ value from NT5DS to NTP Change NtpServer value from time.windows.com,0x1 to an external stratum 1 time source, i.e. tock.usno.navy.mil,0x1

HKLM\System\CurrentControlSet\Services\W32Time\Config
Change AnnounceFlags REG_DWORD from 10 to 5

2. Stop and restart time service net stop w32time net start w32time 3. Manually force update w32tm /resync /rediscover

Time SynchronizationOption B VMware Tools

Modify Windows Time Service Use VMware Tools
Implement Domain Controllers Group Policy to modify registry:

Modify

Enable ESX server NTP daemon to sync with external stratum NTP source
VMware Knowledge Base ID# 1339

Use VMware Tools time synchronization within the virtual machine

NOTE: VMware Tools time sync is designed to play catch-up, not slow down!

Time Synchronization Descheduled Time Accounting

Custom VMware Tools component Tightly integrated with hypervisor Use with ESX 3.x VMs only Currently for uniprocessor Windows and Linux VMs only Improved accuracy for guest OSes CPU time accounting Allows quicker catch-up of time for guest OS Launches a VMDesched thread or process within VMs OS

Time Synching Descheduled Time Accounting (2)

Perform a Custom installation of VMware Tools in Windows guest OS

Time Synchronization - Summary

Use one method or the other Do NOT use both!!! Decisions should be based on current time management infrastructure or organizations policies

Performance Issues
Virtualization Challenges

Performance for Virtualized Domain Controllers

Virtualized AD domain controllers can run at 85-90% of native systems performance
Active Directory deployments in most datacenters utilize less than 10% of todays computing power

Requires significantly less hardware to achieve greater number of virtualized domain controllers Greater number of domain controllers provides better logon results, less points of failure

Performance Single Processor

Performance Dual Processors

Performance - Scaling Processors Up

Performance Summary
Virtualization does not necessarily increase performance Proper planning of resource allocation is still important Its still important to follow Microsofts best practices for the strategic placement of FSMO role servers, catalog servers, etc.

Virtualization Challenges
Security, Network and Replication

Security - VM Access Control

Network - Connections

Use the Maps view to verify network infrastructure

Create separate VM port groups connected to individual NICs

Network - Advanced Switch Settings

Vmware ESX 3.x provides some more sophisticated network settings

Replication - Using Replication Monitor

Validating Inbound Connections

Security, Network & Replication Summary

Utilize VMware Infrastructure 3 access policies Configure outbound virtual switches for redundancy Validate/Test for proper replication between virtualized domain controllers

Virtualization Challenges
High Availability & Disaster Recovery/Preparedness

High Availability VMware ESX 3.x / vCenter Server 2.x

VMware provides solutions for automatically restarting virtual machines
Implement VMware HA as a high availability to ensure virtual machine domain controllers restart in the event an ESX server fails

High Availability VMware ESX 3.x / vCenter Server 2.x

Combined with VMware DRS Anti-affinity rules can ensure domain controller VMs are segregated

Disaster Recovery Best Practices

Perform consistent system state backups
Provided by most major commercial backup software

Follow Microsoft recommendations on FSMO role placement

http://support.microsoft.com/kb/223346

All Active Directory restorations should be performed using authoritative and non-authoritative methods
Do not recover an Active Directory database from a backup copy of an old virtual disk!

Disaster Recovery - Scenarios

Improper Restore of VM Proper Restore of VM

Source: Microsoft Corporation

High Availability, Disaster Recovery Summary

Utilize VMware DRS and HA to implement a successful recoverability solution Always to continue to use Microsofts System State data best practices to backup AD database
Default useful life of System State data 60-180 days Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.) Microsoft does not support snapshots of DCs KB888794

Continue to follow best practices around the placement of key, critical roles

Transitioning from Physical to Virtual

How to you successfully migrate?

Virtual machine considerations DNS configurations Best practices

Virtual Machine Considerations

Size the VMs memory to run entire AD database in cache to avoid disk performance hits Windows 2003 Server Value RAM Cache Approx. # of Users 32-Bit
2.75GB (using /3GB switch)

64-bit
16GB

100,000

2.5 million

Virtual Machine Considerations

Add, modify, search, delete and update operations will benefit significantly from caching Slight penalty incurred for write operations Physical or Virtual Microsofts AD Sizer can help you plan the size Use Microsofts best practices and separate boot, database, log virtual disks on individual SCSI controllers to optimize write performance

Transitioning from Physical to Virtual

Start with a fresh system state backup for recovery Consider creating a dedicated virtual switch or virtual machine port group to isolate replication traffic Generally single processor virtual machines are adequate for domain controllers Validate inbound/outbound connections between physical and virtual machines Allow 24-48 hours for replication to complete Change the weight and/or priority of the DNS SRV records for virtual machines Monitor the logon requests to ensure virtual machines are successfully responding Decommission physical domain controllers

DNS Modifications Transitioning to VMs

Modify the weight and/or priority of the DNS SRV records Specifically offload the authentication requests from the PDC emulator when possible DNS weight is the proportional distribution of requests among DNS servers DNS priority is the likelihood a server will receive a request PDC emulators should have one or both adjusted accordingly by adding:
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
LdapSrvWeight DWORD decimal value of 25 or 50

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
LdapSrvPriority DWORD decimal value to 100 or 200

Physical domain controllers should be adjusted similarly to decrease dependencies on PDC emulator

DNS Modifications
Can also be changed within DNS manager Registry changes do not require a reboot

Best Practices
Avoid snapshots or REDOs for domain controller virtual machines Do not suspend domain controller virtual machines for long periods Consistent and regular system state backups still very important Avoid physical to virtual DC conversions

Virtualizing Active Directory can be done!!!

System State backups regularly Time Synchronization High Availability/Disaster Recovery Plan Monitor Replication Traffic Modify DNS SRV records to redirect logon authentications to VMs Go back and constantly re-evaluate your strategy!!!

VI OPS Portal
A customizable collaboration site for sharing role and subject based proven, prescriptive, and actionable guidance. Features Approved Operational Practices Best Practices of Industry Experts Prescriptive Guidance For customers by customers Consistent appearance

http://viops.vmware.com

Additional Information
VMware Time Sync and Windows Time Service
VMware Knowledge Base ID# 1318 - http://kb.vmware.com/kb/1318

Installing and Configuring NTP on VMware ESX Server

VMware Knowledge Base ID# 1339 - ttp://kb.vmware.com/kb/1339

VMware Descheduled Time Accounting

http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf

How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495

How to detect and recover from a USN rollback in Windows 2000 Server
http://support.microsoft.com/kb/885875

Additional Information (2)

Active Directory Performance for 64-bit Versions of Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD570A-475C-96E0-316DC821E3E7&displaylang=en

Microsofts Active Directory Sizer for Windows 2000

http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN -US/setup.exe

Active Directory Performance Testing Tool (ADTest.exe)

http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE4871-B8A4-99F98B3F4338&displaylang=en

Support policy for Microsoft software running in non-Microsoft hardware virtualization software
http://support.microsoft.com/kb/897615

How to configure an authoritative time server in Windows Server 2003

http://support.microsoft.com/kb/816042

Thank you!!

Thank you for coming. Rate your session and watch for the highest scores!